Snort mailing list archives
Re: Snort not generating alerts
From: James Dickenson <jdickenson () gmail com>
Date: Thu, 24 Oct 2013 22:53:11 -0700
Matt, I skimmed through that doc. I didn't see anywhere that they have you configure the rulesets running on the sensor. They have you set the paths for the whitelist and blacklist for the IP reputation preproc but no rule enable/disabling that I can see. You should see near the end of your snort.conf where the rules are enabled and disabled they should look something like this *snip* include $RULE_PATH/attack-responses.rules #include $RULE_PATH/backdoor.rules *snip* Go through those and figure out what makes sense for you to run. If it has a pound in front of it is commented out obviously. You can also do a 'wget www.testmyids.com' to test to see if your sensor is up and working. The other option is to look at pulledpork and modify your snort.conf to use that to manage and update your rulesets. Most people recommend doing that as managing them by hand can be quite tedious. There is alot of other tuning that can and probably should be done in the snort.conf file I suggest looking through it and familaring yourself with it. Start with the rules and HOME_NET and EXTERNAL_NET then look at the preprocessors starting with stream5 and frag3 preproc. Hopefully that gets you up and running. Good luck! -James On Wed, Oct 23, 2013 at 8:15 AM, Matt . <sttwok82 () gmail com> wrote:
Resending as this apparently didn't go through yesterday. I'm ramping up on Linux and Snort, so not highly familiar with them yet. That said I've installed Snort and Snort Report onto Ubuntu 12.04 via the instructions at the following URL and fixed the errrors that prevented snort and barnyward2 from running. http://www.symmetrixtech.com/articles/016-snortinstallguide2953.pdf At this point I am not able to determine why it's not generating alerts after test vulnerbility scanrs are run, the log files are empty. If I add the following lines uncommented out to the bottom of snort.conf, data is put into the log files and database. But once I comment out the lines nothing is generated. #alert ip any any -> any any (msg:"Got an IP Packet"; classtype:not-suspicious; sid:2000000; rev:1;) #alert icmp any any -> any any (msg:"Got an ICMP Packet"; classtype:not-suspicious; sid:2000001; rev:1;) #alert icmp any any -> any any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:2000499; rev:4;) I've searched online and am stumped. Any assistance, pointers, recommendations would be much appreciated. Thanks, Matt ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort not generating alerts Matt . (Oct 23)
- Re: Snort not generating alerts James Dickenson (Oct 24)
- <Possible follow-ups>
- Snort not generating alerts Matt . (Oct 30)
- Re: Snort not generating alerts James Lay (Oct 30)
- Re: Snort not generating alerts rmkml (Oct 30)
- Re: Snort not generating alerts James Lay (Oct 30)